It’s time to close your Yahoo account

Yahoo Inc last year secretly built a custom software program to search all of its customers’ incoming emails for specific information provided by U.S. intelligence officials, according to people familiar with the matter.

The company complied with a classified U.S. government directive, scanning hundreds of millions of Yahoo Mail accounts at the behest of the National Security Agency or FBI, said two former employees and a third person apprised of the events.

Some surveillance experts said this represents the first case to surface of a U.S. Internet company agreeing to a spy agency’s demand by searching all arriving messages, as opposed to examining stored messages or scanning a small number of accounts in real time.

If true, then the advice for the privacy-conscious is clear: close down your Yahoo account.

Some Yahoo employees were upset about the decision not to contest the more recent directive and thought the company could have prevailed, the sources said.

They were also upset that Mayer and Yahoo General Counsel Ron Bell did not involve the company’s security team in the process, instead asking Yahoo’s email engineers to write a program to siphon off messages containing the character string the spies sought and store them for remote retrieval, according to the sources.

The sources said the program was discovered by Yahoo’s security team in May 2015, within weeks of its installation. The security team initially thought hackers had broken in.

When Stamos found out that Mayer had authorized the program, he resigned as chief information security officer and told his subordinates that he had been left out of a decision that hurt users’ security, the sources said. Due to a programming flaw, he told them hackers could have accessed the stored emails.

Sheesh…

Of course, it’s possible that the FBI or NSA asked other webmail companies to provide similar assistance, and that they simply haven’t told us yet.

Maybe you would be wise, if you care about your privacy, to use an alternative service that believes in you keeping your email communications private - such as ProtonMail, Posteo or Tutanota.

Remember, if you use a free service for your email - your privacy is never going to be your email provider’s highest priority.

About the author, Graham Cluley

Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy.

35 Responses

Yeah, that’s my opinion too (dump Yahoo). I’m working on it. Like Graham wrote about before, it gets complicated if you’ve had Yahoo for a while and other accounts get linked through other services. But I’m making progress understanding how it all links up and I’m getting to the point where I’m ready to pull the plug soon.

Does anyone else think that in the future, the only way to be reasonably safe is going to be to use a paid service? Free email means making too many compromises … where marketers can go, hackers and spies will follow.

‘Does anyone else think that in the future, the only way to be reasonably safe is going to be to use a paid service?’

Unless you’re knowledgeable, experienced and capable (including the network and hardware requirements) to run your own mail servers, probably yes. But I doubt paid will completely solve the problem because the law is on the side of the governments and therefore corporations have might eventually have no choice (the fact it seems Yahoo didn’t fight this is another matter entirely). Even then you have the issue of is email encrypted? (That’s a rhetorical question and the answer also applies to your own private mail server if you do indeed use it between others). It’s unfortunately more complicated further so find the one with the best reputation and be ever cautious.

Funny This, I have just been trying to do the exact same thing All Night before I’d even seen this, I cannot get it to delete my account it keeps coming back with “invalid password” all the time I have opted for Gmail as a replacement but not as my main account, it won’t die with out a fight by the looks of it.:)

The main reason for quitting Yahoo Mail is simply that their UI is rubbish. I have only kept mine the past few years because Freegle is based on it, but even Freegle seem to finally be moving off the Yahoo platform so I can finally dump Yahoo now.

One of the advantages of paid for email services is you can set up loads of aliases that deliver to one Inbox, so you can have an email for each organisation you deal with, and then you can see who is selling (or leaking) your email address to spammers.

Gmail doesn’t do it properly. It allows you to add “+something” to an email address to differentiate it but this is not quite the same thing.

A proper alias can be turned off so that any emails sent to it get bounced - very useful when it starts to get spammed - but you can’t do that with Gmail, it’s just your tough luck if it starts getting spammed (but you at least know who sold/leaked the email address).

The only reason I have a Yahoo account is that it offers 500 alias addresses, so I can have a different email address for each website log-in. You set up an alias name, and then create alias addresses as needed by adding a dash followed by whatever you want to the alias, and saving it. You can delete one later if it starts getting spammed. Even though I don’t use Yahoo for real communications, and it would be a nuisance to change the email account on multiple sites, I’m considering whether I should migrate those log-ins elsewhere.
Outlook and GMX allow ten aliases per account, which look like regular Outlook or GMX addresses but forward to the primary account. You can set Outlook so that only the primary account name can be used to log in. Spamgourmet is an option for unimportant stuff.

That’s interesting. They keep that feature hidden, I had to search on “Yahoo 500 alias” to find it. I thought you could only create one extra email address which is what I’ve always been advised when I looked into it. They should promote the feature more.

I use earthlink for my email service. I pay $4.95 a month for 2 email addresses. I have been an earthlink customer for over 15 years. They give me 7 extra Anonymous Email addresses. If you use one of them and start getting a lot of spam, you can just delete it and then create another new one. I have been pleased with their service.

Good God. Everything is monitored today. Google/gmail where all your data/history is known to them. Download apps to your mobile, and look at all the info they want before you can get the app. Facebook also stores lots of your personal info. There is stuff all that is private on the internet. If you are not involved in criminal activities, then you have nothing to worry about with Govt agencies snooping.

Keep telling yourself that. That way, you’ll continue to believe it…until you get caught in some massive Federal sweep because one of your messages happened to contain some variant of the “wrong” text string.

But by then it won’t matter. You will have sold out your right to privacy and freedom of speech (and everyone else’s) by your anti-Constitutional belief. Then we’ll all live miserably ever after in the Soviet States of America.

The CCCP didn’t call itself the Soviet States of Russia. So your analogy falls down unless the two continents … oh wait, you’re one of those quaint national stereotypes who ASS-(yo)U-ME that everyone reading is in the USA!

Unless you’ve built your own hardware from discrete (in a least one sense of the word) components I’d suggest you don’t assume NOONE can snoop on you.

Have you read Ken Thompson’s “On Trusting Trust” Turing Award presentation? Note he wrote that microcode would be harder to scrutinise. How many components in modern IT have enough processing ability to communicate behind your back?

Perhaps you could monitor all the outputs from your devices. Don’t forget to check RFI, ultrasound and modulation of the power supply!

Well, before all this recent stuff, the sale to Verizon was good enough reason to leave Yahoo. Verizon is worse when it comes to resisting gov. snooping. And they are worse than Google in how they treat users personal data. At least Google gives you the options to delete, turn off, OPT-OUT of things. Remember those Verizon “Super Cookies” ? But, there’s going to be a traffic jam leaving Yahoo now.

Hopefully so, I would like to see paid email be a sustainable business model. And I’m afraid of just what I think you’re alluding to, Verizon coming down and disallowing the option of deleting your Yahoo account/history/data, and congratulations, you’ve got a forever account for the criminals to hack whenever they get around to it. Verizon is just the sort of company to do that.

Disclosure: As far as I know, I never have had a Yahoo mail account, so have no personal interest in it one way or the other.

The thinly sourced article at the core of this moral panic may mean a good deal less than is claimed, for several reasons.

The most obvious is that what is described may actually be less intrusive than alternatives like searching accounts, if only because it applies only to current and future messages. The answer would be in details about selectors that are unreported and unlikely to be.

Second, acquiring message content almost certainly requires a search warrant if the target is a US citizen or other person legally in the US. Because the tool is controlled by Yahoo (or was, if it is discontinued), they have the opportunity to contest warrants they consider too broad, and are reported to have done so at least once in the past, albeit unsuccessfully.

Third, despite a great deal of indignant puffing about privacy and security, the fact is that the fourth amendment of the US Constitution is far from absolute. It forbids unreasonable searches, not all searches, and requires review, often by a court, of law enforcement demands for data. These requirements, although not identical to those in other countries, are comparable.

Fourth, the capability to search and seize specifically targeted data from a stream establishes a technical requirement to scan all of it to identify the targeted data. It is for establishing the capability that Yahoo is being condemned, despite the total lack of information about how (or whether) it has been asked to use it. And it is the use of such a capability, not its mere existence, that determines whether it is lawful, constitutional, or morally acceptable.

I have a son that is cleared to work at that level of Gov. security. He can just pop up on my screen whenever he wants. He says if Uncle Sam wants to scan your undies then you better check for skid marks. He also believes that the only way is to put it in your damn mailbox and wait or drive over there and talk face to face. Good luck with all your malware and AVG (which is what he put in mine) if somebody wants in, the’re in. Ask Graham, he will tell you and he tries to every month. The best advice I can give is to hand carry it and learn to keep your big mouth shut.

I have of today finally got rid of yahoo, there is a much quicker way to get rid of yahoo if you contact support directly, they then send you a few questions to answer about your account that’s it, no waiting 90 days.

How ever in there reply back, they sent me this.….……

I’ve gone ahead and deleted your ****** account for you. Just so you know:
• A Yahoo ID that has been deleted may be recycled for reuse. It’s impossible for Yahoo to reactivate a deleted account or retrieve any stored information in it.
• You’re always welcome to sign up for a new Yahoo account if you want to use Yahoo services again.